Document

Purpose and audience

This post aims to give a high-level introduction to the installation and configuration of FreeBSD and RANCID.
The tutorial is intended for newbies in the world of FreeBSD/RANCID.

Disclaimer

I’m myself fairly new to FreeBSD, as the content of this post will reflect.

Installing FreeBSD

Hardware

For my intallation I have choosen a very minimal configuration and it seems to work fine. If the server is supposed to perform several functions besides RANCID, you may want to scale accordingly.
And yes – this is a virtual machine. =)
Disk: 10GB
RAM: 512MB
CPU: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz

Installation of FreeBSD

Just a quick tip before get started: When configuring usernames, hostnames, file names and the like – use ONLY lower case. The reason for this is that UNIX differentiate between, e.g., “Filename” and “filename”, whereas Microsoft consider them the same file. And by using only lower cases, you never run into such problems. =)

Now – onto the actual installation:

Fairly straight forward. I myself opted for installing SSH and NTP for remote management and time sync.
Although one thing to keep in mind is using FQDN as your hostname and configuring a DNS-server. RANCID uses sendmail to send you the configuration difference of your devices and sendmail require DNS to function properly.

Configuring IPFW

Locking down any box, especially systems your are somewhat unfamiliar with, might be worthwhile to increase the overall security.
From the resources I’ve used, it seems the appropriate way to configure your ipfw ruleset, is by running a script which is defined in /etc/rc.conf.

Word of advice – before enabling the firewall and messing about, make sure the configuration file (/etc/ipfw.sh) is complete and that you have physical access to the server in case you lock yourself out. =)

Create the /etc/ipfw.sh. I used a sample script and edited for my own purpose. We will edit the file shortly.

root@srv-rancid:/usr/home/rancid # ipfw list
00001 check-state
00002 allow ip from any to any via lo0
00003 allow tcp from any to any established
00100 allow tcp from any to 172.32.10.10 dst-port 22 in setup keep-state
00200 allow udp from 172.32.10.10 to any out keep-state
00201 allow tcp from 172.32.10.10 to any out setup keep-state
00400 allow icmp from 172.32.10.10 to any icmptypes 0,3,8,11,12,13,14
00401 allow icmp from any to 172.32.10.10 icmptypes 0,3,8,11,12,13,14
00999 deny ip from any to any
65535 deny ip from any to any

Appearantly you can not remove entry 65535 (not by the command ipfw -q flush anyway), so the script will include two rules denying all other traffic than those explicity allowed.
I still feel safer having the drop rule in the script file, rather than leaving it out.

Logging of firewall

Firewall logging is feasible for many installations, but I have choosen not to log anything in order to conserve hardware resources.
To enable firewall logging the /etc/rc.conf also needs the following parameter

firewall_logging=”YES”

Firewall rules with the “log” keyword will be written to syslog.
For more information on the matter I refer to the FreeBSD handbook: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html

Administration

Webmin is a webbased administration tool for unix-like systems. Although not covered here, I found it worthwhile to mention it in case you would like some graphical interface.
A quick google search of freebsd webmin produced several tutorials on the subject. =)

RANCID

Introduction to RANCID

RANCID is a tool which runs various commands on your network equipment and keeps track of changes using CVS.
Personally I find RANCID very neat for two reasons;

It provides historical records for changes to the network equipment

It keeps an up-to-date configuration of your network equipment. And not only that, it also takes down information regarding software versions, hardware information (serial numbers, modules, etc), vlans and more.

Installing RANCID

Installation of RANCID was, to be honest, dead simple when I followed a guide I found online (see resouces further down) and since the authors steps worked quite brilliantly I’ll more or less repeat them here.

And I will repeat the tip I previously mentioned: When configuring usernames, hostnames, file names and the like – use ONLY lower case. The reason for this is that UNIX differentiate between “Filename” and “filename”, whereas Microsoft consider them the same file. And by using only lower cases, you never run into such problems. =)

Onwards to the steps!

1. Add a new user called rancid and add it to the wheel group. A membership in the wheel group allows you to execute the command “su” and obtain root privileges.
Issue the command and follow onscreen instructions

# adduser

2. Update your port-collection, which essentially is the make files for various applications.

# portsnap fetch update

3. Install RANCID from the abeforementioned port-collections

# cd /usr/ports/net-mgmt/rancid/
make install clean

The installation did take quite some time for me, as it needed to download a truck load of different files.
During the installation of the different packages I left all choices in default.

I have a mixture of devices where I require SSH-login to some and telnet to others. In this example you will notice the following:

I have added a username for two specific devices.

I have added passwords for two specific devices.

I have added passwords for all (asterisk) devices.

I have added SSH as login method for two specific devices.

I have added telnet as login method for all (asterisk) devices.

This means RANCID will log onto 172.20.1.8 and 172.20.1.5 using SSH with username admin and MyAdminPASSWORD, then getting to enable-mode using password MyEnablePASSWORD.
It also means all other devices will be logged onto using telnet with telnet-password MyTelnetPassword and then getting to enable-mode using password MyEnablePassword.

Tips’n’tricks

The asterisk works as a wildcard, which means I could also write “add method 172.10.1.* ssh” if I wanted SSH as the login method for all switches on this particular network.

You can also use hostnames rather than IP-addresses. This requires your network equipment to be present in DNS or manually configured in your RANCID servers “/etc/hosts”-file

I hope this was understandable. =)

8. Make the .cloginrc-file writable only by your rancid user

$ chmod 600 /home/rancid/.cloginrc

9. The installation may have created /usr/local/var/rancid/ directory. We want to remove that and re-create it with the user rancid.
In order to enable our rancid-user to create the directory, we will have to change the directory permissions as well

10. Now you will create the initial directory structure and then data directories

$ /usr/local/bin/rancid-run
$ /usr/local/bin/rancid-cvs

11. The structure should be in place with the group name you configured in step 5.

$ cd /usr/local/var/rancid/CiscoDevices

12. In this directory you should find a file called router.db – edit this file and enter your network devices.
As you may understand, the first parameter is the device IP/hostname, the second is which device type we are talking about and the third parameter defines wether the device is up or down and should be scanned.

If you used a different group name (or several for that matter) you need to add those to the file.

14. Assuming you are running FreeBSD in default and therefore using sendmail, you now issue the follow command which moves/convertes/does something with /etc/aliases.

# newaliases

15. Run rancid again – as the user rancid. Do not run rancid as root.

# exit
$ /usr/local/bin/rancid-run

If everything is ok, you should receive an e-mail shortly with configuration changes (which is the whole config as it will be the intial configuration).
Note: Because your rancid server will act as a SMTP-server, an entry for your server needs to be present on your DNS-server. I tried fooling it by editing /etc/hosts and so on, but landed squarely on using DNS rather than a hack.

16. Since everything went smoothly and you received an e-mail and the directories was populated with configuration files, you probably want RANCID to run automatically. Cron will aid you with this.
Configure cron with the rancid-user

4 Responses to A guide to installing FreeBSD and RANCID

Hi, I was looking for information for configuration of sending one email a day, I read your configuration file but do not understand how effected this configuration ?, is you say you create the file but as you instruct to Rancid to run this file and not the one predefined for sending email.
Greetings and thank you

This has bee really a great article. Thanks for sharing. I managed to confiugre RANCID and able to login to router successfully as well. The whole purpose of configuring it was to use rancid.lg to configure looking glass. I can successfully execute the CGIform script but when I try to ping it give me error

[Quote]
Looking Glass Error:

You must at least choose a Query and a router. Try buying a clue.
[Unquote]